November 27, 2020

A9-Known Component Vulns

Perform Software Composition Analysis (SCA) to locate libraries that are in use that have existing vulnerabilities.

Attacks

  • Locate old versions of all components in use (both client-side and server-side). This includes components directly used as well as nested dependencies.
  • Locate software that is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.
  • Locate vulnerabilities regularly and subscribe to security bulletins related to the components that are in use.

Defenses

There should be a patch management process in place to:

  • Remove unused dependencies, unnecessary features, components, files, and documentation.
  • Continuously inventory the versions of both client-side and server-side components (e.g. frameworks, libraries) and their dependencies using tools like versionsDependencyCheckretire.js, etc. Continuously monitor sources like CVE and NVD for vulnerabilities in the components. Use software composition analysis tools to automate the process. Subscribe to email alerts for security vulnerabilities related to components you use.
  • Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component.
  • Monitor for libraries and components that are unmaintained or do not create security patches for older versions. If patching is not possible, consider deploying a virtual patch to monitor, detect, or protect against the discovered issue.

Every organization must ensure that there is an ongoing plan for monitoring, triaging, and applying updates or configuration changes for the lifetime of the application or portfolio.